It is often helpful to be able to obtain a good cryptographic checksum of a file, e.g. the SHA-256 hash. This can be used to verify file integrity, so long as you have a reliable source for the hash.

Support for both SHA-256 and MD5 from the command line are provided by default in Ubuntu and probably other flavors of Linux and BSD via the sha256sum and md5sum programs.

On a Mac (10.5) I see the "md5" command-line program, but nothing for SHA-256. Given the hash collision problems with MD5, it is a less-than-ideal choice.

And I can't find any software installed by default on Windows to compute any crypto hashes. The closest to "standard" I've seen was a Microsoft reference to how to download an optional command line program, File Checksum Integrity Verifier utility which can do SHA-1 (which is still relatively safe), but not SHA-256.

One download that I've run across for SHA-256 is hashcalc for cross-platform GUI support, but I haven't vetted it or tried it.

Am I missing any default secure hash software (better than MD5) for Windows or Mac?

Is there a page somewhere that gives good hashing tool advice for a variety of operating systems? Ideally it would lead to safe, convenient GUI solutions.

Clarification:
I'm looking for advice I can share with others, which will help them safely work with hashes. By "safe" I mean something which, for example, a government employee could relatively easily determine to not be too risky. For example, software installed by default, documented and backed by the vendor, is much less risky than installing some third-party executable off the Internet. If it has to be third-party software, then something that is vetted and recommended by experts is preferred.

7 Answers
7

The one tool that comes to mind, particularly for Unixes (or however you're supposed to pluralise that) is openssl:

openssl dgst -sha256 path/to/file

The openssl dgst command provides a lot of common hashing options, and openssl is installed on most Unix systems by default and is also available for Windows. I believe it ships with OSX too. I agree, it is a less than ideal situation for Windows to ship without such a tool.

As for GUI tools, I do not, personally know of any other than HashCalc, which you have already mentioned.

Thanks - I found openssl on a nearby Mac (10.5), but it was running OpenSSL 0.9.7l 28 Sep 2006, which does not have "-sha256". It does have "-sha1", so that is a big step up from MD5....
– nealmcbNov 6 '11 at 21:28

For Windows, you can use PowerShell, which is installed by default on Windows 7 / Server 2008 R2 and onwards. The Get-FileHash function was introduced in PowerShell v4, which comes with Windows 8.1 and Windows Server 2012 R2. For older PowerShell versions, these scripts from James Manning's blog will do the trick.

Unfortunately, neither is provided with Windows, they require a separate installation.

Here's a simple one-liner to compute the HMAC of a file using Python. Type the key in hexadecimal in the terminal (or pass it on standard input with echo … |, but beware that the key will then end up in the shell history). The file is read into memory, which won't do for large files.

On Windows, a simple hash verifier (supporting SHA and a few more, and HMAC) that's usable by a non-technical person is SlavaSoft HashCalc. Unfortunately, it's not open-source, so you may not have the utmost confidence it its operation.

sphlib is a library which implements many hash functions, written in C. It includes a command-line tool (sphsum) which mimics the behaviour of md5sum / sha1sum and its ilk, and supports MD5 and SHA-256 (and a bunch of other functions). It compiles on all kinds of Unix-like systems (including MacOS) and also on Windows (build instructions are included, but you will need Visual C, MinGW or lccwin32).

sphlib also includes Java implementation of all these hash functions. Speaking of which, both Java and .NET include SHA-256 implementations by default, so you could make a Java applet and/or a C# assembly which do the hashing. Thus, you would rely only on components provided by either Oracle or Microsoft; it would be hard to be more "official" than that.

Besides md5, MacOS X (10.7, at least) includes a utility called shasum which can compute hashes with any of the SHA-* family (SHA-1, SHA-224, SHA-256, SHA-384 and SHA-512). Use it like this: